What templates must be used for CADA risk assessments?

Summary As proposed under the Cloud and AI Development Act (CADA), Member States and Union entities must conduct sovereignty risk assessments to determine the appropriate "Union assurance level" for public-sector cloud procurement. Article 29(3) mandates that the European Commission adopt implementing acts to specify the exact methodology, templates, and elements to be used, ensuring a consistent approach across the Union. When reporting assessment results to the Commission under Article 29(4), Member States must explicitly flag any departures from these prescribed templates or methodologies. Until these implementing acts are adopted, the specific template formats remain to be defined, but the legal obligation to use them once established is clear.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous framework for public procurement of cloud services, anchored in the concept of "Union assurance levels." To determine whether a specific public-sector activity requires the baseline assurance level (Level 1) or a higher level (Levels 2, 3, or 4) to safeguard public order, Member States and Union entities are required to carry out risk assessments. A cornerstone of this mechanism is the standardization of how these assessments are structured, documented, and reported.

The Legal Mandate for Standardized Templates

The requirement for uniformity is explicitly codified in Article 29(3) of the CADA proposal. This provision empowers the Commission to adopt implementing acts that define the operational details of the risk assessment process. Specifically, the text states that these acts shall specify:

• "the methodology to be applied";
• "the templates to be used"; and
• "the elements to be taken into account" by Member States and Union entities.

The legislative intent behind mandating specific templates is to prevent fragmentation. Without a standardized format, risk assessments could vary significantly in structure, depth, and clarity across different Member States. Such divergence would undermine the single market by making it difficult to compare risks, identify systemic vulnerabilities, or ensure that all relevant public-order concerns are addressed uniformly. By requiring a Commission-specified template, the proposal aims to create a uniform baseline for evaluating the sensitivity, criticality, and magnitude of data processed in cloud environments.

Substantive Elements the Templates Must Cover

While the precise layout of the templates will be defined in the future implementing acts, the substantive scope of the assessment is already fixed by Article 29(2). The templates will serve as the vessel for documenting the assessor's consideration of at least the following mandatory aspects:

1. Data Sensitivity and Criticality: The assessment must analyze the sensitivity, criticality, and magnitude of non-personal data processed, including the potential impact on public order. It must also address the nature, scope, context, and purpose of any personal data processing, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.
2. Third-Country Access Risks: The template must capture an evaluation of the risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country, under Union law.
3. Service Disruption Risks: The assessment must document the risk and consequent impact on public order of possible service disruption.

The template ensures that each of these factors is explicitly addressed and justified, preventing assessors from overlooking critical sovereignty risks in favor of purely technical cybersecurity considerations.

Reporting Obligations and Flagging Departures

The obligation to adhere to the template extends directly to the reporting phase. Article 29(4) requires Member States to provide the Commission with the results of their risk assessments within three months of carrying them out. Crucially, this article imposes a transparency requirement: Member States must indicate "where they depart from the implementing acts referred to in paragraph 3."

This provision creates a "comply or explain" mechanism. If a Member State or Union entity chooses not to use the prescribed template, or if they utilize the template but deviate from the methodology outlined in the Commission's implementing acts, they must clearly flag this departure in their report. This transparency is vital for the Commission to monitor the uniformity of the framework's application. It ensures that any deviation is visible and can be scrutinized, rather than hidden within inconsistent reporting formats.

Commission Oversight and Corrective Powers

The use of standardized templates significantly enhances the Commission's ability to exercise oversight. Article 29(5) grants the Commission the power to review the results of risk assessments. If the Commission concludes that the Union assurance level identified in a Member State's assessment is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the Union assurance levels needed for that public sector activity.

Having a standardized template makes this review process more efficient and legally robust. The Commission can quickly identify whether a Member State has followed the correct methodology and used the proper documentation structure. If a Member State has deviated from the template without justification, or if the assessment within the template fails to adequately address the risks outlined in Article 29(2), the Commission is better positioned to intervene and correct the assurance level. This ensures that public order is not compromised by inconsistent national interpretations.

Strategic Considerations: Multi-Cloud and Architecture

The templates are also designed to accommodate strategic decisions regarding cloud architecture. Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services. While the specific details of this consideration will be shaped by the implementing acts, the template will likely include a dedicated section for documenting the rationale behind choosing a single-vendor versus a multi-cloud approach. This ensures that the risk assessment links architectural choices directly to the identified risks of dependency and resilience.

What this means for you

For public-sector procurement officers, legal teams, and compliance managers, the introduction of mandatory templates for CADA risk assessments signals a shift toward centralized standardization.

1. Monitor for Implementing Acts: The specific templates do not yet exist in a final form. You must closely monitor the adoption of the implementing acts referenced in Article 29(3). These acts will define the exact structure, fields, and content requirements of the templates. Until these are published, you should continue to use your current risk assessment frameworks but ensure they cover the substantive elements listed in Article 29(2).
2. Prepare for Standardization: Begin reviewing your existing risk assessment documentation. Ensure that your current processes already capture the sensitivity of data, risks of third-country access, and service disruption potential. This preparation will make the transition to the new, mandatory templates smoother once they are released.
3. Document Deviations Proactively: If your organization currently uses a proprietary risk assessment tool that differs from the future Commission template, you must establish a robust process for documenting these deviations. When reporting to the Commission, you will be legally required to clearly explain why you departed from the prescribed methodology or template, as mandated by Article 29(4). Failure to flag these departures could lead to scrutiny or corrective measures under Article 29(5).
4. Align Procurement with Assurance Levels: The outcome of your template-based risk assessment will directly dictate your procurement strategy. If the assessment identifies public order relevance, you may be restricted to procuring services with Union assurance levels 2, 3, or 4 under Article 30(3). Ensure your procurement teams understand that the risk assessment template is the gateway to determining which vendors are eligible for public contracts.

Common misconceptions

• Misconception: The templates are already final and published.
  • Reality: The templates are not yet fixed. They will be defined in implementing acts adopted by the Commission under Article 29(3). The CADA proposal sets the requirement for their existence and purpose, but the specific format is still to be determined in secondary legislation.
• Misconception: You can ignore the template if you have your own robust risk assessment process.
  • Reality: Article 29(3) mandates the use of the templates specified in the implementing acts. While you may have internal processes, the official assessment submitted to the Commission must use the prescribed template. If you do not use it, you must flag this departure in your report under Article 29(4), which may invite scrutiny from the Commission under Article 29(5).
• Misconception: The template only covers technical cybersecurity risks.
  • Reality: The CADA risk assessment is broader than technical cybersecurity. It focuses on sovereignty and public order, including the risk of third-country access to data and service disruption due to geopolitical factors. The template will reflect this broader scope, not just IT security vulnerabilities.

Related

• Who must carry out risk assessments under Article 29 of CADA?
• CADA Risk Assessments: What Cloud Providers Must Know
• Who sets the methodology for CADA risk assessments?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What public sector activities must be identified in a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.